From 54d41f49a37a13abbac4905da77528b2e0c73bb4 Mon Sep 17 00:00:00 2001 From: Justin Boswell Date: Tue, 3 Aug 2021 11:05:09 -0700 Subject: [PATCH] added logging to signing validation functions (#136) * added logging to signing validation functions --- source/aws_signing.c | 51 +++++++++++++++++++++++++------------ source/credentials.c | 1 + source/signing_config.c | 1 + source/sigv4_http_request.c | 6 +++-- 4 files changed, 41 insertions(+), 18 deletions(-) diff --git a/source/aws_signing.c b/source/aws_signing.c index 0ebef61b..a1699fb2 100644 --- a/source/aws_signing.c +++ b/source/aws_signing.c @@ -2372,20 +2372,29 @@ int aws_verify_sigv4a_signing( int result = AWS_OP_ERR; if (base_config->config_type != AWS_SIGNING_CONFIG_AWS) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signing config is not an AWS signing config"); return aws_raise_error(AWS_AUTH_SIGNING_MISMATCHED_CONFIGURATION); } + if (aws_validate_aws_signing_config_aws((void *)base_config)) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signing config failed validation"); + return aws_raise_error(AWS_AUTH_SIGNING_INVALID_CONFIGURATION); + } + const struct aws_signing_config_aws *config = (void *)base_config; if (config->algorithm != AWS_SIGNING_ALGORITHM_V4_ASYMMETRIC) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signing algorithm is not V4_ASYMMETRIC"); return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT); } if (config->credentials == NULL) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "AWS credentials were not provided/null"); return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT); } struct aws_signing_state_aws *signing_state = aws_signing_state_new(allocator, config, signable, NULL, NULL); if (!signing_state) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to create new signing state"); return AWS_OP_ERR; } @@ -2399,38 +2408,46 @@ int aws_verify_sigv4a_signing( AWS_BYTE_CURSOR_PRI(ecc_key_pub_x), AWS_BYTE_CURSOR_PRI(ecc_key_pub_y)); - struct aws_ecc_key_pair *verification_key = - aws_ecc_key_new_from_hex_coordinates(allocator, AWS_CAL_ECDSA_P256, ecc_key_pub_x, ecc_key_pub_y); - if (verification_key == NULL) { - goto done; - } - - if (aws_credentials_get_ecc_key_pair(signing_state->config.credentials) == NULL) { - struct aws_credentials *ecc_credentials = - aws_credentials_new_ecc_from_aws_credentials(allocator, signing_state->config.credentials); - aws_credentials_release(signing_state->config.credentials); - signing_state->config.credentials = ecc_credentials; - if (signing_state->config.credentials == NULL) { - goto done; - } - } + struct aws_ecc_key_pair *verification_key = NULL; if (aws_signing_build_canonical_request(signing_state)) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to canonicalize request for signing"); goto done; } struct aws_byte_cursor canonical_request_cursor = aws_byte_cursor_from_buf(&signing_state->canonical_request); if (aws_byte_cursor_compare_lexical(&expected_canonical_request_cursor, &canonical_request_cursor) != 0) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Canonicalized request and expected canonical request do not match"); aws_raise_error(AWS_AUTH_CANONICAL_REQUEST_MISMATCH); goto done; } if (aws_signing_build_string_to_sign(signing_state)) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to build string to sign from canonical request"); goto done; } + verification_key = + aws_ecc_key_new_from_hex_coordinates(allocator, AWS_CAL_ECDSA_P256, ecc_key_pub_x, ecc_key_pub_y); + if (verification_key == NULL) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to create an ECC key from provided coordinates"); + goto done; + } + + if (aws_credentials_get_ecc_key_pair(signing_state->config.credentials) == NULL) { + struct aws_credentials *ecc_credentials = + aws_credentials_new_ecc_from_aws_credentials(allocator, signing_state->config.credentials); + aws_credentials_release(signing_state->config.credentials); + signing_state->config.credentials = ecc_credentials; + if (signing_state->config.credentials == NULL) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Unable to create ECC from provided credentials") + goto done; + } + } + if (aws_validate_v4a_authorization_value( allocator, verification_key, aws_byte_cursor_from_buf(&signing_state->string_to_sign), signature_cursor)) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "Signature does not validate"); aws_raise_error(AWS_AUTH_SIGV4A_SIGNATURE_VALIDATION_FAILURE); goto done; } @@ -2439,7 +2456,9 @@ int aws_verify_sigv4a_signing( done: - aws_ecc_key_pair_release(verification_key); + if (verification_key) { + aws_ecc_key_pair_release(verification_key); + } aws_signing_state_destroy(signing_state); return result; diff --git a/source/credentials.c b/source/credentials.c index 3b200fc9..061ae86a 100644 --- a/source/credentials.c +++ b/source/credentials.c @@ -212,6 +212,7 @@ struct aws_credentials *aws_credentials_new_ecc( uint64_t expiration_timepoint_in_seconds) { if (access_key_id.len == 0 || ecc_key == NULL) { + AWS_LOGF_ERROR(AWS_LS_AUTH_GENERAL, "Provided credentials do not have a valid access_key_id or ecc_key"); return NULL; } diff --git a/source/signing_config.c b/source/signing_config.c index 6879713f..12899e8d 100644 --- a/source/signing_config.c +++ b/source/signing_config.c @@ -39,6 +39,7 @@ const char *aws_signing_algorithm_to_string(enum aws_signing_algorithm algorithm int aws_validate_aws_signing_config_aws(const struct aws_signing_config_aws *config) { if (config == NULL) { + AWS_LOGF_ERROR(AWS_LS_AUTH_SIGNING, "AWS signing config is null"); return aws_raise_error(AWS_AUTH_SIGNING_INVALID_CONFIGURATION); } diff --git a/source/sigv4_http_request.c b/source/sigv4_http_request.c index 62e95814..a688c2e7 100644 --- a/source/sigv4_http_request.c +++ b/source/sigv4_http_request.c @@ -157,8 +157,10 @@ int aws_apply_signing_result_to_http_request( return AWS_OP_ERR; } - struct aws_http_header dest_header = {.name = aws_byte_cursor_from_string(source_header.name), - .value = aws_byte_cursor_from_string(source_header.value)}; + struct aws_http_header dest_header = { + .name = aws_byte_cursor_from_string(source_header.name), + .value = aws_byte_cursor_from_string(source_header.value), + }; aws_http_message_add_header(request, dest_header); }